Security isn't a subject solely for
SysAdmins responsible for maintaining and administering large
corporate networks. It's a subject that every Linux user and
certainly every Linux administrator must educate themselves on and
always be aware of. As Linux continues to attract new users and
becomes more popular in the server space, understanding security
issues and knowing how to secure a Linux system becomes very
important.

Upon opening this book for the first time, I was immediately
impressed by the vast amount of information presented. Simply
skimming through the book's table of contents, it is easy to
appreciate the wide range of topics covered by Toxen.

The book is divided into three parts, with Part I of the book
focused on ways to secure a Linux system.

Toxen gets off to a quick start with a chapter aptly titled
"Quick Fixes for Common Problems", in which he discusses the basic
and most common security issues that most SysAdmins have to
face.

Each of these security issues, and the ones in the remaining
chapters of the book, is assigned a danger level in the form of
skull-and-crossbones symbols, with one symbol representing a minor
risk to 5 symbols indicating a very major risk.

The "Seven Most Deadly Sins" covers some basic problems that
can lead to a system or network being compromised. Part of the
chapter discusses certain basic security topics, including password
security, file permissions and firewall design.

Toxen does a particularly good job of emphasizing the risks
associated with running unneeded services and leaving ports open
that should not be. With the growing popularity of broadband
Internet access (cable, DSL) and the ease with which some Linux
distributions allow the novice Linux user or inexperienced SysAdmin
to install a plethora of services during the base distribution
install, its imperative that all Linux users understand the
implications and risks of running various Linux services. Most home
Linux users do not need FTP, Samba, NFS and Sendmail running on the
same box.

Toxen spends a fair amount of time discussing Sendmail, FTP
and NFC/RPC, all of which have had major exploits against them. He
also talks about various Linux programs that have had major bugs
and exploits in the recent past.

In Chapter 3, Toxen covers X security, physical security of a
system and describes ways to really erase data
from a hard-drive. This chapter also contains an excellent section
discussing miscellaneous short topics.

Chapter 4 covers the vulnerabilities in major services
commonly running on Linux servers. Toxen covers services including
NFS, Sendmail, FTP, Samba and BIND. These are services typically
found on Linux servers running in small-to-medium networks and even
large corporate networks, either for departmental or company-wide
use.

Sendmail is still one of the most widely used MTAs on Linux
systems (and on non-Linux UNIX platforms), and Toxen discusses ways
to secure Sendmail and control spam.

Likewise, there is a generous amount of information on
securely setting up FTP, another service commonly found on Linux
servers.

In contrast to the discussion of Sendmail, FTP and Samba,
Toxen only briefly talks about BIND (the DNS daemon). This is a bit
surprising given that BIND has had quite a few exploits against it
in the past year.

The last section of this chapter, "Protecting your DNS
Registration", feels out-of-place, as the rest of the chapter
focuses on specific (configuration and setup) details about
specific Linux services.

Chapter 5 contains excellent explanations of some of the more
common types of attacks used against Linux systems, including
Packet Spoofing, TCP Sequence Spoofing and DoS attacks like Packet
Storms. The "Man in the Middle" attack is also clearly
explained.

Chapter 6 covers some advanced security issues and was one of
the most informative chapters of the book. I learned a few things
that I wasn't aware of.

As Toxen points out, one might not imagine configuring
Netscape to be an advanced topic. Nonetheless, he introduces some
some good techniques to configure Netscape for higher security.
Despite the growing popularity of newer browsers like Opera and
Konqueror, Netscape is still one of the most widely used browsers
in Linux-land (and UNIX-land, for that matter).

Toxen also discusses at length Apache security issues, as
well as issues to be aware of when setting up web servers,
including a lengthy section on CGI programs.

The next topic is Toxen's interesting design for increasing
the security of an e-commerce site, specifically to ensure that
customers' credit card data cannot be stolen if the site is
cracked. He calls his approach the "One-way credit card data
path".

There is also a section on hardening a Linux system for very
high security. Buffer overflows, symlink attacks and an excellent
section on login simulators round off the rest of this
chapter.

Chapter 7 discusses a subject that is all too often
overlooked or not given enough attention in some security books:
security policies. Toxen covers pretty much every type of security
policy that is important to the management and administration of
networks. Policies covering things such as passwords, e-mail, user
accounts and laptops are discussed in detail, and even though some
of the suggestions are Linux- and UNIX-specific, they are presented
in a manner such that SysAdmins of non-UNIX networks will be able
to benefit from them. This chapter is a must-read for anyone
involved in the design and management of networks, as well as
non-technical manager-types from company IS/IT departments.

Chapter 10 is probably the most entertaining chapter of the
book. Toxen provides interesting details about some successful
break-ins, including the methods of the crackers in those
incidents. The most entertaining incidents covered in this chapter
are Toxen's own adventures cracking the UNIX systems at the
University of California at Berkeley!

Chapter 11 covers some recent attacks, including IP
fragmentation attacks, the Ping of Death and stealth scans. The
best part of this chapter is Toxen's detailed explanation of
(coordinated) distributed denial of service attacks, including
explaining how the TFN2000 stealth trojan operates. While
explaining how the TFN2000 stealth trojan works (by putting the
network interface in Promiscuous mode on its target system), Toxen
thoughtfully includes a brief table of kernel messages printed by
the respective network card drivers when those cards are switched
over to Promiscuous mode.

The only odd thing about this chapter was the discussion of
privacy issues (the serial number in Pentium III chips and
embedding GUIDs in documents produced by MS Word and Excel that
haven't been patched to disallow that behaviour), which clearly did
not belong in this chapter and, arguably, don't have anything to do
with Linux.

Part II of the book focuses on preparing a system for the
possibility of being cracked.

Chapter 12 is one of the longer chapters in the book,
rightfully so, since Toxen discusses three very important Linux
security tools: SSH, GPG and the kernel's firewalling capabilities.
(Okay, so firewalling is a native feature of the Linux kernel as
opposed to being a separate userspace tool).

Chapter 12 starts off with a good section on SSH, its
installation and basic usage. The part describing how to wrap SSH
around any TCP-based service was difficult to follow, and a diagram
would definitely have helped.

PGP is discussed, but Toxen spends more time discussing the
usage of FSF's PGP replacement, the GNU Privacy Guard
(GnuPG).

Linux 2.2's IP chains firewalling capabilities are explained
quite well, and he goes through a fairly detailed example showing
how to set up a firewall script for a small company network or a
home network. What's particularly good is how Toxen explains each
rule (or set of rules) meant to perform a specific type of packet
filtering.

Chapter 14 discusses the popular TCP Wrappers program that is
now installed by default in most distributions. Besides basic usage
and configuration, Toxen suggests additional ways in which TCP
Wrappers can be used to alert the SysAdmin of intrusion attempts
and take further actions on the intruder by spawning programs (in
this case a custom shell script written by the author). Toxen calls
his approach "Adaptive TCP Wrappers".

Toxen also talks about the importance of testing networks and
systems for their level of security by conducting intrusion drills
before a real intrusion occurs. He also suggest testing network
security by using Tiger Teams.

Scanners are the subject of the unusually short Chapter 15.
While Toxen does discuss the usage of Nmap very well, other
scanning tools, such as Nessus, SARA and SAINT, are only mentioned
in passing. Also, the password file cracking tool "John the Ripper"
is mentioned very briefly, as is the IDS tool Snort.

Part III of the book discusses ways in which intrusion
attempts can be detected on a system. In Chapter 16, Toxen presents
ways in which logfiles, ports and running processes on a system can
be monitored to check for intrusion attempts, using a combination
of shell scripts and common tools found on all Linux (and most
UNIX) systems. like find, ps,
fuser, and
tcpdump.

Toxen also discusses in detail how custom shell scripts can
be created to page a SysAdmin if certain suspicious events occur on
a network, such as failed Telnet logins or failed
su attempts.

In Chapter 17, Toxen explains how to periodically check for
system anomalies that might be indications of intrusions and/or
cracker activity. Toxen shows how to use the ubiquitous find
utility to check for files with incorrect and/or suspicious
permissions and ownership modes. Installation and configuration of
Tripwire is also discussed in this chapter. There is also a
discussion of useful shell scripts for detecting promiscuous
network interface cards and the process(es) that might have put the
NICs into that mode.

Automatic detection of defaced web pages is also covered
using a combination of scripts and programs written by the author.
Given the number of large and high-profile sites that have had
their web pages defaced in the last year alone, Toxen is doing a
public service by showing techniques that automate the detection of
defaced web pages.

Part IV of the book talks about recovering from an
intrusion.

Chapter 18 gives hands-on tips for gaining control of a
system that has been cracked by trying to find out as much as
possible about the intrusion and the cracker responsible for it,
while at the same time minimizing further damage to the system(s).
Toxen shows how to find the cracker's running processes and, once
found, how to obtain information from these processes about the
nature, source, etc. of the intrusion.

In Chapter 19, Toxen shows how to find and repair the damage
caused by a cracker. Some of the more important log files and the
types of entries to look for in them when trying to determine the
extent of the damage caused during an intrusion are
presented.

Toxen makes an important point about the necessity of having
a set of secure boot floppies with copies of untampered, secure
versions of common UNIX utilities like ls,
ps, top, find, etc. Once a system has been cracked, the
SysAdmin cannot be sure of how many trojans have been installed on
the system by the cracker, and certainly cannot trust that
important system binaries have not been tampered with or
trojaned.

Toxen suggests comparing files on the cracked system with
previous backups (if there are recent enough backups) and using
package managers like RPM to verify the integrity of installed
packages. However, many people (including myself) consider a safer
alternative to be reinstalling the entire system from known and
trusted sources, after having recovered as much user data as
possible from the cracked system.

Chapter 20 shows how to find the cracker's system using a
combination of network tools commonly found on Linux, including
traceroute, ping, whois, nslookup
and dig. Along the way, Toxen also
brings up some good points to remember when dealing when SysAdmins
of systems found on the trail to the attacker's system, as well as
with users whose accounts have been compromised by a
cracker.

The last chapter in this section (and in the book) talks
about some of the major American law enforcement agencies and their
policies and methods when dealing with incidents of computer
attacks and crime. Toxen also mentions the criterion by which some
of these law enforcement agencies decide to initiate investigations
and go after the perpetrator of such crimes. Some issues relating
to the legalities in such cases and how SysAdmins should go about
preparing and securing evidence when working with law enforcement
agencies to track down a cracker is presented.

The appendices contain useful information about many
security-related resources, including important web sites (Bugtraq,
Cert), mailing lists and the many security tools mentioned in the
book (and where to download them from). Appendix H contains a list
of all the important security issues and topics discussed in the
book, sorted by their danger level (one to five
skull-and-crossbones symbols, with five being the most dangerous),
with the most dangerous ones at the top of the list. This sort
makes it easy to check for a specific issue and then drill to that
section and page of the book.

The book's companion CD-ROM contains all the scripts that
Toxen has mentioned throughout the book, as well as the source code
to some of the programs he wrote that are mentioned in the book.
Also included on the CD-ROM are most of the security tools
mentioned in the book and its appendix.

I found that the book had an easy-to-read style, and Toxen's
explanations are to-the-point, concise and clear. Toxen's writing
style has just the right touch of humour to make this book an
engaging, entertaining and informative read on the subject of Linux
security.

I would highly recommend this book to any Linux SysAdmin (and
user) interested in securing their Linux systems. From practical
hands-on tips and techniques to detailed explanations of attacks
and other Linux security issues, this book is a must-read for
anyone interested in Linux security.